Filtering out Syslog forward messages

I need a solution

Hey,

We’re forwarding SEP logs to the external Syslog server for further analythis.

The SEP sends a lot of OK messages that we don’t want to see.

There were a massive amount of “The management server received the client log successfully” messages – I’ve filtered them out by disabling “System Client-Server Activity Log“.

Now i’m trying to folter out positive messages similar to those:

Aug 23 12:01:18 SEPS1 Local: 2,Local: 484D7EBF6F59,Remote: 224.0.0.22,Remote: ,Remote: 0,Remote: 01005E000016,8,Outbound,Begin: 2017-08-23 12:00:02,End: 2017-08-23 12:00:02,Occurrences: 5,Application: ,Rule: Allow IGMP traffic,User: monik,Action: Allowed

Aug 23 12:21:24 SEPS1 ,Local: 1900,Local: 01005E7FFFFA,Remote: 10.150.100.173,Remote: ,Remote: 63854,Remote: 00118575A6A3,UDP,Inbound,Begin: 2017-08-23 12:15:53,End: 2017-08-23 12:15:57,Occurrences: 8,Application: ,Rule: Allow UPnP Discovery from private IP addresses,User: johnt,Action: Allowed

Aug 23 12:03:05 SEPS1 Local: 61645,Local: 00155D02463E,Remote: 192.116.194.3,Remote: ,Remote: 20,Remote: 001C7F3DDD29,TCP,Inbound,Begin: 2017-08-23 11:58:41,End: 2017-08-23 11:58:41,Occurrences: 1,Application: C:/SmartFTP/SmartFTP.exe,Rule: Allow 172.16.2.46 FTP,User: app_ftp,Action: Allowed

Any other ideas how to set correctly Log Filters to get only risk/block messages will be highly appreciated.

Attached is the screenshot of current Log filter config.

Many thanks,

Gennady

0

Related:

Sep 14 MP2 Locations

I need a solution

Hello all, 

I am thinking about using quite a lot of different locations on a client due to a specific needs of their infraestructure. I have read a TN (https://support.symantec.com/en_US/article.TECH973…), in which says that SYM does not recommends to create more than seven locations per group. 

Note: Symantec does not recommend more than seven (7) locations per group when using Location Awareness. Exceeding this number can negatively affect the execution time on how long it takes the Endpoint Protection client to process and ultimately connect to a valid location when it meets all conditions.

In my experience, I have used a maximum of four locations for a group. Does anyone have experience using more than seven locations? Do you really notice the execution time badly affected?

In my environment I do not mind to check the location once per hour or even longer. 

Kind regards,

 Juan

0

Related:

Deleted Thunderbird inbox after SEP full scan

I need a solution

  Hi all,

  We have installed Symantec Endpoint Protection Manager 14 MP2 in our corporate network. During last night’s scheduled full scan, SEP client found a suspicious mails on one of the computers. This morning after we closed SEPs information popup windows, thunderbird suddenly crashed. After the next start of the program, we saw that not all mails are present and after we’ve checked the file location, found that the inbox file is too small. We realize that this “new” inbox contains only mails from this morning, but not the older ones. There were no records that the old inbox file was deleted in “Risk logs” on the local SEP client. Only in Windows application log we found information that the inbox file was successfully deleted (Security Risk Found! JS.Downloader.D in File: PATHinbox  by: Scheduled scan. Action: Cleaned by Deletion.  Action Description: The file was deleted successfully.).  

 Is there any method so we can restore the old inbox?

Thanks in advance!

0

Related:

How does client locate nearest GUP in multipe Gup config

I need a solution

Hi –

I am trying to create a common LU policy that spans across multiple different linked sites in different geographic regions.  I was planning on usuing a policy with Multiple GUP configuration with a GUP defined for each location that needs one.  From the docco I get that with this config, the list of available gup’s becomes available to all clients.

The question is, how do the clients detect the nearest GUP if the gup itself is not in the same subnet as the clients.  For example most of our locations the servers and worstations will be in different subnets, even though they are in the same physical location. So how do the clients detect the nearest gup, (or in this case would they detect a GUP at all and intstead go to the default management server, which may be in a diffent geographic region)

I have a design that has sites spread over several physical geographic locations.  the intention is that the clients in the hub site will download from the site SEPM, and clients in other locations would download from a local GUP 

thanks

0

Related:

Add Office version column to a report

I need a solution

Hi everyone; I feel odd asking for help in this, but I have no experience with report creation in Altiris. I also don’t have any experience in SQL. My main inquiry is; I have an “all computers” that I need to add a colum that would show the version of Office installed. Not sure what I can and can’t post but I have the code for the report if need. I’d appreciate any help. Thanks.

0

1503504851

Related:

  • No Related Posts

Varonis DatAnywhere with DLP

I need a solution

Hi,

Need help integrating DLP with Varonis DatAnywhere.

The goal is to insure that the Files being uploaded to DatAnywhere should be all password protected before hand.

If they are not, DLP should prevent it from being uploaded to DatAnywhere.

A How-To, step by step would be really appreciated and a great help!

Thank you!

0

Related:

What are procedure to integrate Symantec DLP email protect with Proof point

I need a solution

We have a environment where all the email will be encrpted and monitor by Proof point email protection. Now we are planning to integrate Symantec DLP email Prevent with Proofpoint.

Kindly let me know the requirement, process and procedured to complete this implementation.

0

Related:

Filename Exclusions

I need a solution

We have a use case where we want to ignore filenames that start with image00* and att00* from a specific rule, but continue to check for rule trigges with other filenames. I’m afraid if I create a filename exclusion.. once DLP sees that filename it will exclude ALL the policy rules for that whole message.
 
Am I understanding the logic right or is there another way around it?
 
Example:
 
A “123ABC” Policy that has a DCM rule which matches the word 123ABC In ANY attachment except for attachments that start with the name image00* or att00*.
 
testing.txt = “This is a test document 123ABC”
att0001.txt = “Another test document”
image001.jpg = Test Image
 
Example message 1:
Attachment Name: testing.txt
Outcome: Alert because testing.txt is a valid filename
 
Example message 2: 
Attachment Name: att0001.txt
Outcome: No Alert because att0* is excluded.
 
Example message 3: 
Attachment Name: image001.jpg
Outcome: No Alert because image0* is excluded.
 
Example message 4:
Attachment Name: testing.txt & att0001.txt
Outcome: Alert because testing.txt is a valid filename
 
Example message 5:
Attachment Name: testing.txt & att0001.txt & image001.jpg
Outcome: Alert because testing.txt is a valid filename
 
0

Related:

Can Symantec Protection Engine for NAS be installed on NAS itself?

I need a solution

Hi,

I just want to know if Symantec Protection Engine for Network Attached Storage can be installed and run within the NAS itself, especially on most commercial device with Linux?

Eg,

a. If I have a Dlink DNS-320L, can I deploy Symantec Protection Engine for Network Attached Storage on it?

b. Otherwise, if I have a Asustor NAS, can I also deploy Symantec Protection Engine for Network Attached Storage on it?

Thanks.

0

Related: